From 627af8ce57d638b94788e084a352cd879e8b0568 Mon Sep 17 00:00:00 2001 From: Yuki Okushi Date: Sun, 2 Nov 2025 10:52:25 +0900 Subject: [PATCH] chore(gha): setup cargo-deny (#3816) --- .github/workflows/ci.yml | 4 ++++ deny.toml | 45 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 49 insertions(+) create mode 100644 deny.toml diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 0bf5b7718..e1ae7b4c9 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -85,6 +85,10 @@ jobs: - name: CI cache clean run: cargo-ci-cache-clean + - name: deny check + if: matrix.version.name == 'stable' && matrix.target.os == 'ubuntu-latest' + uses: EmbarkStudios/cargo-deny-action@f2ba7abc2abebaf185c833c3961145a3c275caad # v2.0.13 + io-uring: name: io-uring tests runs-on: ubuntu-latest diff --git a/deny.toml b/deny.toml new file mode 100644 index 000000000..f775089f4 --- /dev/null +++ b/deny.toml @@ -0,0 +1,45 @@ +[licenses] +confidence-threshold = 0.90 +allow = [ + "Apache-2.0", + "MIT", + "Unicode-3.0", + "ISC", + "CDLA-Permissive-2.0", + "BSD-3-Clause", + "Zlib", + "OpenSSL", + "MPL-2.0" +] +private = { ignore = true } + +# FIXME: old rustls introduces old ring which is not set license field properly. +[[licenses.clarify]] +crate = "ring" +expression = "MIT AND ISC AND OpenSSL" +license-files = [ + { path = "LICENSE", hash = 0xbd0eed23 } +] + +# FIXME: webpki is almost unmaintained and is not set license field properly. +# rustls has its own fork now so removing old rustls should resolve the issue. +[[licenses.clarify]] +crate = "webpki" +expression = "ISC" +license-files = [ + { path = "LICENSE", hash = 0x001c7e6c } +] + +[bans] +multiple-versions = "allow" + +[bans.build] +executables = "deny" + +[advisories] +# because of old rustls support: +ignore = [ + "RUSTSEC-2024-0336", + "RUSTSEC-2025-0009", + "RUSTSEC-2025-0010" +]